Make sure that all cloud security roles and responsibilities are accounted for.
The focus for this article is cybersecurity for Physical Security as a Service (PSaaS) cloud-based offerings, meaning subscription-based offerings that include system software for managing and utilizing on-premises security system equipment such as card readers, security video surveillance cameras, intrusion detection devices, and so on. The system software is the key element of a PSaaS offering with which the users interact. It is provided as a cloud-based Software as a Service (SaaS) application.
Well-designed and soundly-implemented cloud-based applications can be much more secure than in-house applications, but only if all of the security roles and responsibilities are understood and accounted for. This is why security integrators must understand all of the roles and responsibilities relating to the security of SaaS applications and their data, and to the security of the on-premises equipment as well.
Growing Value of Security System Data
The proven high worth of video analytics for retail organizations is a good example of how security system analytics data is continuing to increase in value as the capabilities of analytics and big data analysis evolved. Such analytics data contain personally identifiable information (PII), as well as other data that requires privacy protections (such as security investigations data). Advances in electronic security systems assure that going forward, the cybersecurity protection of security systems data will continue to increase in importance.
Roles and Responsibilities
There are cybersecurity responsibilities for both the on-premises and cloud-based elements of a PSaaS solution. Who is responsible for the cybersecurity of each part? Table 1 lists the roles and responsibilities for a simple PSaaS solution.
Table 1. PSaaS Offering Cybersecurity Roles and Responsibilities
Role | Description | Security Responsibilities |
---|---|---|
Cloud Service Customer | Utilizes the PSaaS offering for security operations and investigations, and uses the business-related video analytics data for business planning and decision-making. | Responsible for:
|
Security Systems Integrator | Installs and maintains the PSaaS on-premises equipment. | Responsible for:
|
PSaaS Vendor | Provides the SaaS Application and provides or specifies the on-premises equipment that the Security Systems Integrator resells. | Responsible for:
|
Cloud Infrastructure Provider | Provides the Platform as a Service (PaaS) infrastructure on which a SaaS application runs (such a Microsoft Azure or Amazon AWS). | Responsible for:
|
Complex Deployments
Cybersecurity responsibilities for more complex PSaaS deployments are simply extended across the vendors and cloud infrastructure providers involved. It is possible, for example, to have two or three PSaaS vendors (for example, one each for access control, video management, video analytics and visitor management). Each PSaaS vendor may have a different cloud infrastructure provider. There may be both cloud-level integrations and on-premises integrations between the various PSaaS offerings. All of the cybersecurity issues must be identified and the responsibilities accounted for to assure that there are no gaps in cybersecurity protection. This should be reflected in the documentation of the various product and service offerings. Assurance of continuous conformance to cybersecurity requirements should be provided by the chain of Service Level Agreements from Cloud Infrastructure Provider to PSaaS Vendor to Security Systems Integrator to Cloud Service Customer.
Clarity is a Requirement
Whether the picture is simple or complex, it is important to assure the cybersecurity of a PSaaS offering by determining, fully agreeing on, documenting, and verifying who is responsible for what, and how those responsibilities will be lived up to.
This article first appeared in Security Dealer and Integrator magazine’s November 2016 issue.
Other Articles in this Series
This is the fifth article in Ray Bernard’s series in Security Dealer and Integrator magazine dealing with cloud-based systems.
Here are links to the other articles:
Avoid Key Cloud Services Mistakes
(SD&I March 2016)
www.SecurityInfoWatch.com/12177153
Cloud Computing: Clarity or Confusion?
(SD&I June 2016)
www.SecurityInfoWatch.com/12211857
Evaluating a Cloud-Based Service
(SD&I July 2016)
www.SecurityInfoWatch.com/12223384
Addressing Cloud Risk
(SD&I September 2016)
http://www.securityinfowatch.com/12243763
This article takes up the issue of how sales people can kill deals by saying the wrong things about cloud security.